Trends & Telemetry in Cyber Insurance
In this video, industry experts delve into the complexities of cyber insurance for managed service providers (MSPs) and their clients. They explore the evolving landscape of cyber insurance, discussing the challenges and opportunities it presents for MSPs in enhancing security measures and client relationships. Learn how MSPs can navigate insurance requirements, improve cybersecurity practices, and ultimately provide better protection for their clients in this insightful discussion.<ul><li>Cyber insurance rates have skyrocketed and coverage has decreased significantly, making it crucial for MSPs to engage in insurance discussions with their clients.</li><li>MSPs play a vital role in helping clients understand and implement necessary cybersecurity measures to meet insurance requirements and mitigate risks.</li><li>The cyber insurance industry is evolving to incorporate continuous risk assessments and telemetry data to better evaluate and price policies.</li></ul>
Guests
Video Transcript
All right. Welcome everybody. We are in week 96. How is everyone doing today? Awesome. Awesome. I like your shirt. We, that is very, Very, yeah, it's like a Jaws throwback, right? Except Fin's coming up. Yeah, It's awesome. Very, very cool. Very cool. Um, Gary, good to see you. Um, how are things in your world, my friend? They're awesome. Uh, look, we got tech support jumping in over there. Yep, exactly.
We got a little, uh, background, but we got everybody with us, and we're gonna get started here. All right. Just a quick announcement. I have, um, uh, I put in the, uh, link below. So we've launched Launch Span has launched. Better yet, the MSP training, give or take. There's about a hundred in in so far, we haven't opened it up huge yet. Um, tomorrow we are going to do the first Ask John anything on it. If you still want access to it and join and give feedback, I encourage you all to do so.
Um, just let me know after you signed up and I'll get you the Zoom link. Um, so that's there. Can, Can I ask him not to put backdoor and breaches in the same sentence? He did. He did that just for you, Gary, just for you. Um, okay. So let me set the stage here. And I am still thinking of a poll question. Wes, you, you, you're welcome to maybe shoot one over to me and if you have an idea or two 'cause you've been in Yeah. Lot. Here's, here's a question. Here's a great one.
Has your MSP planned for, I'm just trying to think of how we Strat like have you planned for engaging cyber insurance discussions in, in this calendar year? Or are you currently, have you standardized insurance discussions in your q That's another way to say it. Just to kinda get a gauge of like how many are like friendly to this and understanding it and ready for it just to open up the conversations with clients. Yeah.
Hey Wes, do you remember it was probably, I don't know, a year ago or maybe a little bit less, we did a poll and we asked a question. Um, how many people have had a cyber insurance conversation with all of their customers? And, um, I'm wondering if the results will be any different today, Andrew. Yeah, we'll put that up too. That's a great, great. You you. Yeah. I like, I like both of those. 'cause one is like, are you at least engaged on the Journey?
Two is, have you standardized and really gotten it going with all of 'em? I, that's, yeah, those are the two questions. I'll get the other one up in a second because Gary, if I remember right, we were like 90% no on the all question. Correct. Something like that. Correct. Majority. Which, which was understandable, right? Like that's totally normal for a year ago. Yeah. Yeah. But not now. 'cause we've been talking about it for a year. Yeah. All right.
So lemme set the stage here and get into intros and we'll hand it off to Mr. Weeks first today. All right. So, uh, following last year's small events like SolarWinds, colonial Pipeline, JBS, and, um, uh, the Kase incident in July, the year of the supply chain, let's call it. Um, we saw, I would say, um, the finally the, the, the straw that broke the cyber insurance back as it were.
Um, I'm sure Jack, who's been in this whole war game a long time, will have a different, you know, perspective that he'd seen a lot of this going on. But post that event in July, we saw things just take a dramatic turn. MSPs getting cut from their carriers not able to renew. We saw premiums skyrocket 60, 70%. We saw, uh, coverage get cut in half overnight. We saw guys like Justin Remu come on that were capped at $2 million cap for the first time ever. He had to get creative.
He was able to write additional policies. However, um, again, seemingly things changed overnight. Um, so with that, um, I wanted to bring on two folks. Uh, one I was kind of a serendipitous. Um, I've known Jack in a past life and serial entrepreneur, um, heavily involved in, um, continuous monitoring and compliance in cloud infrastructure. Built a business there and then launched Cowbell a few years back.
And then we've got Dustin Bolan, who comes from the MSP side, getting involved in the cyber insurance business. So, Jack, let me let you start off with yourself, your introduction. I'll hand it over to Dustin and then let Mr. Weeks take it on over. Yeah, good afternoon. Uh, hey everyone. Um, and good morning folks on the West Coast. Jack Del founder and CEO of Cowbell. Uh, it's great to be here, Andrew. I appreciate the invite and, uh, really good to, uh, reconnect with you after a few years.
Uh, you know, I began the journey of cowbell about three years ago. Uh, a good bunch of my career I spent in software and cybersecurity. Uh, this is the first company I founded, but I have built, um, and grown bigger companies and build smaller companies, uh, to date. Uh, fast forward today, uh, three year journey with Cowbell. Um, our products are distributed by about 16,000 brokers. It's perhaps the largest producer network in the market.
Uh, and, uh, we aim to get to a hundred thousand, uh, policy holders over the next three years. Um, and you know, as we dive in, I'm happy to, uh, uh, discuss more about how we do it, what's so special. Uh, but more importantly, I'm keen to, uh, discussing cyber insurance for MSPs and your customers today. So, uh, great to be here. Thank you again. Yeah, great to have you with us, Jack. Dustin. Uh, I'm Dustin Bollinger, uh, two time MSP owner.
Um, I started my second one back in 2019, and it's been, uh, rocket ship. We're at, uh, 25 folks this year, and it's not slowing down at all. Uh, I got sucked into cyber insurance last year. Uh, I had a mutual friend introduce me to, uh, somebody over at Fifth Wall, who, it's a wholesaler, which is basically like a distributor, right? Think like PAX eight for cyber insurance. Uh, and so I actually managed to, uh, suck we in a little bit too.
And we're both board advisors over there helping them learn how the MSP industry works. And you know what, uh, we're focusing a lot. It's west, so naturally we're focusing a lot on education, right. But, uh, I've been spending, uh, more time over there every day, uh, learning about cyber insurance, so, Good. Good. Well, welcome and good to have your perspective on this, Ryan. Um, you guys don't, you know, insure anything, I'm sure at da. Oh, you probably just self-insure on cyber.
So you let the, you know, the con controls and po you know, you're just like Fort Knox over there. So anyway, my friend, let, let it rip and, uh, take it away here. Mm-Hmm. Yeah. So Jack, the last time on the cyber call that we discussed cyber insurance, just a level set with you. Mm-Hmm. It was, seemed to be around a period of time where a lot of MSPs were going for annual renewals, and it was kinda six to nine months after last summer, which saw four or five major ransomware incidents. Yep.
Which led to a massive decrease in appetite for insurers, some insurance, some insurers exited entirely. Um, and then that was leading driving to increased premiums and the difficulties of some MSPs and SMDs to get insured at all. So with that as the basis for the last time, you really had a kind of a structured conversation around this. Give us your overview of your perspective on like where the cyber insurance industry is now, specifically as it relates to MSPs and SMPs. Yep. Yep.
No, great question. It's, uh, probably deserves a, a good lengthy dialogue. We'll try to be as succinct as we can. Uh, you know, the cyber insurance is not very new. Um, but the carriers who underwrote cyber for a long time, there was a lot of focus on how best you can underwrite cyber.
And at the time, just like any other commercial insurance, uh, you basically as a carrier underwriter, you really relying on the revenue of the company, the headcounts of the business and the industry class of that business. And there wasn't a lot of risk intelligence beyond that. Like, I think the topic of the conversation today, the telemetry, it just not factored in in terms of underwriting cyber.
And then the second part, with respect to, so the market has grown tremendously, just like the cybersecurity market that we all saw in front of our eyes. Now it's $150 billion market. 10 years ago it was 150, it was $8 billion market. And we started to see cyber insurance market in a similar trajectory, right? This is about nine to $10 billion premium market today.
Now, not only the premium has gone up 60%, and I think Andrew was right to uh, point it out earlier, the coverage has dropped significantly. And for our today's audience, you know, uh, the number two target, uh, for cyber threat is MSPs. Just because what we do as part of a business, what you do, I'm not an Ms P, uh, but the number one target is the folks who manufacture software for those MSPs because the supply chain is a pretty big, uh, threat, especially when it combined with ransomware.
So what I'm saying is that the end of the day, the traditional carriers who underwrote cyber and some of them have wrote a really large book of business that always has been a disconnect between the risk that you underwrote and the policy that you have. And so many carriers did not go to those customers up until the time of renewal. And that conversation was also brokered. That means there was not a direct connectivity with the policy holder. Things are changing in the marketplace, right?
Folks like ourself, you know, we are a full stack insurer, uh, and plus minus 30% of our premium we derive based upon our continuous risk assessment. That means there are about 32 million SMEs in the target market that we wanna serve businesses under 250 million in revenue. Predominantly. That's kind of your, most of your end user, uh, base. Uh, and, uh, we continuously monitor them from attack surface, dark web, uh, uh, business interruption, loss cost and whatnot.
And what that allows us to do is it allows us to then remove this barrier to say, Hey, look, we are not gonna underwrite MSPs, or, Hey, we're not gonna underwrite public entities, or, Hey, we're not gonna write schools. So you don't make that decision based on the industry class, and you don't make that decision based upon the revenue. You make that decision based upon the, what you see as a relative risk of that business compared to these 32 million other businesses.
So we take an approach of what we call relative rating of that business. And so we are able to write, underwrite, uh, not only many end users, but some of the MSPs who possibly have one of the best controls in the marketplace. So unfortunately, uh, the rate increase is not gonna stop in the long run. I do believe that the coverage the product has to get better, right? I mean, what used to be a $10 million limit is now a 3 million limit.
Uh, and it's very hard to get 5 million, uh, these days if you like. And all of that has to do with, you know, there's this tremendous amount of demand in the marketplace. It's no longer contractual obligation and fear. It's now a business risk. It's a corporate risk, uh, factor.
And so because you have to have it, and there is so much demand on the supply side, there is a lot of constraint, uh, because as the premium has increased, it just isn't enough supply in the marketplace in terms of the reinsurance capacity that would support underwriters and MGAs and carriers like ourself. So there are alternative models that are taking place to increase the capacity in the marketplace.
So I do believe that over the next 18 months, this idea of we just simply not gonna write because you're an MSP or because you're a public entity or because you are a university or school, that should not be the barrier, uh, for getting cyber insurance underwritten for highly complex businesses, uh, like MSPs, uh, if you will. Very cool. Very cool. Okay.
So, man, if I could summarize that, it sounds like still somewhat hard market, not really seeing any easing and both terms of premiums as well as amounts of coverage. Um, so kind of feels like maybe more of the same. Um, Yeah, so I guess The same, uh, as, as an MSPI. Yeah. Um, we're getting a ton of questions. I mean, that's what got me into this whole thing was digging in. Um, we're seeing clients, you know, their rates are going up.
Um, they're seeing a lot more requirements coming in, which has been awesome. Um, I personally love cyber insurance at this point, now that I understand it, because I'm not the bad guy. Like, Hey, insurance is telling you we need MFA everywhere. We need EDR, we need this, that, and the other. So the security, uh, improvement, you know, that's the regulation. I think it was Brad Gross last year at IT Nation did the presentation of regulation for MSPs.
And it was like six of, you know, California law, New York law, doesn't matter. It doesn't matter. And then this last slide was insurance. And that's totally what we've been seeing on the MSP side is suddenly the clients are paying attention, um, and doing all this stuff we've been telling them and begging them to do, because insurance is saying, you gotta, otherwise, we're either not gonna insure you or your rates are gonna be sky high.
Uh, so no, I I'm, um, not from the cost perspective, but the security controls perspective, I've been excited of what's happened over the last year. 'cause it's just raised the bar so much for the clients. They're doing all the stuff that they need to, or they're trying to do the stuff that they need to. And Dustin, this is what we all saw coming, right? Like I remember at IT Nation Secure, it was at, I think it was last year I was on the keynote station. I said, this is gonna happen.
Like, we're going to see Insurance force compliance and the minimum standard being raised way faster than regulation regulations coming, but insurance is gonna drive it. And, and here we are. If you were surprised you weren't paying that much attention. Yeah. Quick, quick question, Ryan, if I could pose it to, you know, how about 30 seconds for Jack and then Dustin, the CISA document that came out, give or take now two weeks ago, right?
That in essence is talking about managed service providers, again, being a risk supply chain. Here's our recommended things, which kind of coincides with C-I-S-I-G one, which is what you see a lot of the, you know, uh, insurers now in their, as in their, you know, renewal assessments. Um, Jack to you, 30 seconds, does CSA hold really any, from your perspective? They put out these documents, do, do they hold any water down market?
They do, and I think this is the second time, uh, they actually done it, you know, the first time was, uh, during the log four JI think they, they're very diligent about when they come out with these type of alerts and, uh, because everyone takes it seriously, right? And, uh, uh, obviously there's a lot of threat. I have seen, uh, inner workings of csun and how the threat, uh, intelligence and the collection happened there. Uh, and of course it's important.
It's just, uh, many people are already doing it. Uh, I think it's just a matter of highlighting that, hey, this is a brand new threat and in a lot of their focus on the eight specific industries that they have identified as a mission critical for running the nation's infrastructure. Um, but yeah, I would take it seriously.
I, we do, uh, we make sure that if there's something coming from csa, uh, that we include that in our models and immediately, uh, figure out how much of our risk pool is being affected by, uh, the alert that they are sending. Cool. Dustin, do you guys use it at all? You know, in your conversations little bit, does it carry any water with your clients, prospects, et cetera? Uh, little bit.
Um, I mean, it's a prospects and the clients don't really tend to pay attention to stuff unless it has t uh, Felicia actually put a point to that, you know, CS has no enforcement capabilities. Um, so we'll bring it up. I mean, it's a good conversation starter, but, you know, that kind of stuff tends to be 30 seconds and then you move on to the meat of The conversations. Y yeah, one of the things I was gonna say, the thing about CSA is in to their own admission, they're non-regulatory, right?
They're non-law enforcement, they're non intelligence. They've described themselves as those non things. And so in order for CSA to have teeth, you gotta make it have teeth in the client conversations. You really have to talk to them as the authority, as the source of like the groundswell, what the federal government sector is seeing, and then make that relevant to them, as CISA said. So it takes some time to like build that in, but they don't have any teeth.
So, so clients are not gonna naturally knee-jerk and be like, whoa. Well, if CISA said it, I better listen. Insurance is totally different. They're like the exact opposite of that. Sure. Brian, back to you. Yeah. So to Jack, I had a hell of a time with our insurance renewal, uh, last year. Mm-Hmm. Part of the reason was, um, because of the events of last summer, I was being painted with this broad risk brush because of the nature of our company.
Um, and that was really frustrating to me because I was like, no, you need to assess our individual risk and, and have a conversation with us. So with that as context, talk to us about the different approach that you're taking, this kind of closed loop management system you have and, and talk to us about how that works and ultimately why you think that's better than maybe using these kind of broad external risk data approaches versus, uh, you know, a more measured assessment of the insured.
Yeah, and I hope it doesn't sound like a commercial, but, you know, closed loop risk management, it's a, it's a big deal. Um, we use that as a, uh, call it a big poll intent in how we underwrite. And what it allows us to do, Ryan, is it allows us to abstract, uh, irrespective of what type of business, uh, you are running, how complex, what type of industry you are in.
And the first and big part of our closed loop risk management is we monitor this risk pool of 32 million businesses in the marketplace. And yes, they, there's not, uh, when we do it from outside in, there's not any much inside out. Uh, but you're basically looking at how the hackers might see your operations. And what it allows us to do is it allows us to rate that business across nine different rating factors, including supply chain is one network, for example, uh, fund transfer and whatnot.
Uh, and it helps us not only assess the next part is, uh, being able to underwrite that business. And so the now the pricing is a factor of the assessment as opposed to pricing is a factor of somebody being an MSP or somebody being, uh, public utilities or university for that matter. And then the third thing is, once you underwrite the business, you know, no longer a insurer can just offer a policy. And that would be all about it.
You now have to help your customer and your policy holder improve that risk, because as you all agree, we all agree that you are less secure tomorrow than you are today. Um, and so how do you help your business improve that risk? So there's this risk engineering aspect that you not only use all of your threat intelligence and outside in data when you're not a policy holder. And once you become a policy holder, you have inside out data, like we build this amazing array of connectors.
So we connect to the cybersecurity aggregator of an MSP, for example. And that allows us to not only get more insight, but also offer recommendations on how you can help improve your cybersecurity posture, uh, if you will.
And the third thing is, you know, no matter what the fourth thing is, no matter what you do, whether you do a really good risk selection, you price it really well, you underwrite through the, uh, risk assessment versus revenue and the type of business, you help improve the risk, you're still gonna have some cyber threats. You know, and you think about, and I think a friend of mine describe this as a laptop, a boom, and a right of boom when the event happens, right?
It's not just a prevention and detection that you should look after as a cyber security control, but response and recovery as part of your cyber insurance. But are you there before, during, and after that event occurs? And that is where basically, I call it the claims handling. That is the fourth pillar of closed loop risk management. What it has done, Ryan, for us, is we have maintained about less than 2% reported claims ratio since our launch in the market this two and a half years ago.
Uh, and on an industry average is anywhere from six to 8%. And if you're able to do closed loop risk management, where you're truly able to understand a risk on a continuous basis, not just the time when you underwrite the policy, or not just the time when you have to renew the business or non-renew business. So you basically, uh, able to have a pragmatic approach to underwriting. And this is long way to go. I mean, we still, halfway in our innovation, we are now continuously assessing risk.
We're able to continuously underwrite somebody. We are not continuously changing the price and the premium, right? And maybe in some day in the future, you may have a highly adaptive cyber policies where a one year cyber policy contract is no longer the case. And it could happen. I'm not saying it will happen, but that is where the innovation needs to go.
Um, but succinctly, I try to explain the closed loop risk management, it's a very unique approach, has given a lot of advantage in the marketplace in terms of, uh, our policy holders face smaller number of claims, uh, by at least 80%, uh, compared to some of the other carriers. So I think there's two things to unpack there. One, MSPs want to know, does cowbell both assess and ensure? And then two, I guess let's go a level deeper on what closed loop loop risk management is.
What specific data or telemetry are you looking at? Are you looking at endpoint hygiene, vulnerability scan data? Like what are your sources of information that are helping you to assess That? Yeah, yeah, great question. And so first and foremost, um, we offer insurance products. Uh, we have multiple product prime 100 for small businesses, um, contractors, electricians, restaurant owners, dry cleaners, a prime two 50 product, a more comprehensive product, about 26 different coverages.
Uh, when it comes to MSPs, uh, you're gonna have very few markets provide dependent, uh, contingent business interruption just because of the flow of your software and a code, think about what you do. Managing one network is really hard. Managing 40 other networks for somebody else is very hard. So what you do as part of business is mission critical. It's very complex business. So we ensure MSPs, we ensure businesses.
I think in terms of the data sources, when we collect data about a particular business and how we build our risk pool, uh, first of all, there is just a gigantic amount of data that's out there. You know, paid data, unpaid data. You can look at the attack surface monitoring data. You have a ton of data on dark web, uh, you have vulnerabilities, databases, uh, you have public private data. So we collect all that data that somebody else might find.
The the beau the beautiful part is it's just not about collection data. It's normalizing that data and modeling that data to make sense of what that data tells you. And so we basically normalize that into what we call cowbell factors. That's our proprietary rating factor. There are seven of them, eight of them we just announced. Supply chain ratings factor. That means we can essentially rate a supply chain risk for that particular business.
We are actually producing a next one called insider threat. As you know, insider threat requests a lot of data that is not available outside of firewall. And then the last but not least is once the policy holder is part of cowbells ecosystem, then we provide our policy holders up to 5% credit on premium if they connect their cybersecurity aggregators to our platform using APIs without having to install any hardware software.
And what this allows us to do is it allows us to connect to, let's say you use AWS Security Hub, Google Security Command Center, Microsoft security Score call us vulnerability data, Palo Alto Networks, some training, uh, cyber security training databases. And so it allows us to go behind the firewall and we don't share that data from one customer to other one MSP to other. Uh, if someone decide to disconnect, we immediately delete that data.
We are a great custodian of that data, and we only use that data to provide further intelligence and recommendation to the policy holder so they can take action on it. Yeah. And so that is, I can draw an analogy here. Um, it almost sounds like you're doing what car insurers have done, which is like the safe driver discount, right?
You plug a thing into your car, it'll periodically provide us some data and we'll decide if we're gonna continue to give you a credit on your, your monthly or your, you know, your, your premium as a result of being a safe driver. Um, is that a, do you think that's a fair analogy? I mean, it's probably too, yeah, it's, you know, It's fair and bit simplified for sure. As you know, car data is lot on behavior of driver behavior. Cyber data is, the threat landscape is evolving so much more complex.
So I think it's the way fair to have that type of analogy. It's no different than a life insurer putting a, a wrist, uh, watch, uh, on the policy holder, just so you can track all of your, uh, uh, health metrics, if you will. So similarly, and that is what I think is proposing this conversation as a telemetry. You know, could you, could you base your cyber insurance on telematics, uh, as opposed to just a demographics that, uh, has been, uh, how the insurance has been der in the past. Yeah.
Yeah. Good stuff. Jack. Um, um, I think we're gonna ha we're handing over to Wes and, um, is that correct, Ryan? Awesome. Really good stuff. Yeah. Yeah. Jack, I've got a couple questions for you too. Um, but Dustin, I wanna start with you for a minute. Um, let's, let's talk about this for a minute. Like, let me just give you my perspective and then I want you as an Ms. P to like, tell me where I'm right or wrong or where things are going, right? So we know rates have skyrocketed.
We, I talk to a lot of MSPs and they'll say things like, you know, insurance doesn't want to pay out, and they'll find every way possible to not pay out. And like, they're dirty and, and it's, it's an awful thing. And you know, this whole, like when a, when a breach happens and then the client gets mad at me for it, and then you get into like subrogation. You hear Chris Laer talk about all the nuances there, post incident, like this thing is a royal mess.
And then I also think I have had the opportunity to look at so many different insurance, cyber insurance applications, especially for clients. And it's so weird. Like you'll see one that's a two pager, one that's an eight pager, one that ask these lists of questions that seem great, one that ask these that don't even make sense. Like there's not even, it's almost like the insurance companies don't even actually know how to assess risk correctly, right?
So that's how I see things in the conversations I'm having with MSBs, like every day. But give me your perspective. You as an MSP that's been been deep in cyber insurance for over a year, I can trust your input so much more. So, so how do you see this right now in this space? The chat's already going crazy on how much we can trust insurance and how much they actually understand.
Um, yeah, so it, the biggest thing to me is, uh, somebody gave me the analogy of like, if you look at property insurance, right? Fires haven't changed that much in the last a hundred years. And if you just go look at the, you know, Jack said earlier, the last six months, um, I feel like insurance is perpetually playing catch up, right? Is, oh, there's this new thing. Um, my favorite thing was I walked into an insurance meeting and they were talking about Kaseya.
I said, on the cyber call, I said, those guys were talking about the Buffalo jump like a year before it happened. And literally every insurance guy in the room just kind of looks over at me and they're like, what? Like, you guys knew this was coming? It's like, yeah, like everybody did. Uh, so that's been one of the biggest struggles for me is that they're trying to catch up, um, you know, talking like MFA, right? Okay. Do you have MFA turned on?
Everybody on the call right now is like, okay, that's a broad question. What does that mean? But we're starting to see it get more specific. Now, do you have MFA turned on for VPN? Do you have it turned on for this, that, or the other? So I think the biggest problem right now is just insurance is playing so much catch up.
Um, that, you know, there's still several steps behind us as MSPs that we understand this, we're in it every day, and they're just starting to pick up, you know, the nuances of all this stuff. So, um, it's getting better, but it's still not, they're still not close to where we're at as MSPs. And it, it seems like you have cyber, you, you have cyber insurance carriers working directly with a client and the client doesn't even know their technology profile.
They don't even know what two factor is or where it's deployed. Like or the Agents. Or the agents. Yes. Yeah. Right. So like, I guess MSPs, it's a non-negotiable that MSPs get involved in cyber insurance discussions with their clients because there's way too much risk on the line if we don't. Because it's easy for an a client just to say, yeah, we do that. Yeah, we do that. Oh, I have like, you know, this free A VG antivirus that should meet the, the EDR requirements. Sure. Check.
We're good to go. And then all hell breaks loose post incident, right? Yep. So that's what we're trying to break it up. We Could feel better. Wes, 12% of people are already doing it. Yeah, Yeah, Yeah. So we're trying to get ahead of it because what I don't want to have happen, and what's the worst is that they come back and they're like, Hey, we did this policy, you know, our insurance is saying that we need to add this before they'll do this. I'm like, hold on a second.
Like, what, what did you fill out? Oh, our agent helped us. I'm like, that dude sells fire insurance and auto and like, they don't understand cyber at all. You know, that's why call me please. And so setting that expectation early on, you know, that's a core part of our business we're doing. Uh, Gary kind of alluded to it earlier, right? We're leading on a lot of sales with that.
You know, we can, uh, our technology stack, we're bundled, we're, uh, you know, we're selling you chocolate cake, Gary, uh, all this stuff's built in to help you qualify for the best cyber insurance policies. Okay. Role play for you. Super quick then. Dustin, I'm a client, you're talking to me. Give me a, give me a quick how you introduce cyber insurance into your discussions in your qbr. Yeah, so, uh, we're an MSP that places security first.
Uh, you know, as part of our monthly agreement, we're gonna have, I'm gonna include all this great security stuff. I don't, not saying I can stop a breach, but we're gonna give you really good odds that, you know, to minimize it, reduce the damage. And it's not just me saying that whenever you go to get your cyber insurance, you're gonna get a really good policy because they're gonna say, wow, Mr.
Client, like, you got all the right stuff in place that insurance sees statistically helps keep your business more secure. So it's not just me saying, we have great security, it's gonna check all these boxes on your cyber insurance too. And Mr that point, they're just like, oh, And Mr. Prospect, do you really care whether you pay me 4,000 a month or 5,300? No. In the scope of that, does it really matter relative to your business, your revenue, your risk?
This is a really difficult conversation, right? Because this feels like what was happening with between vendors and MSPs in the early, like 20, 18, 20, early 2019 timeframe where like vendors were blaming MSPs and MSPs were blaming vendors and it was like this.
And so like, there's a little bit of that with cyber insurance right now where like, you know, everybody's shaking their hand at the other person being like, insurers and insurers are like MSPs and like, there's not a, there hasn't been this like a mutual trust developed yet. And it's, it is difficult because you're trying to, you're trying to apply and basically antiquated sciences to a very fluid landscape.
Um, It's a, And yeah, we, we, we need to acknowledge that to some extent, especially as MSPs, you're gonna be sitting in between a somewhat antiquated process and SMBs trying to help them get the best end result. There's a lot of value in there if you figure out how to have that conversation and, and bring these two people together. I mean, outside of your own challenges that you're gonna have with it as well.
If, if I may jump in, uh, you know, look, this is a two, this is a two century, multiple century year old industry. And so we all are trying to innovate what need to happen, especially with the brand new line. And I mean, look, five out of four out of five SMBs do not have cyber insurance today, right? And that's a lot of businesses, you know, in SME space that are uninsured and un underinsured, the average cost of ransomware is about 200 K.
So Friday night you get a ransom demand at 5:30 PM there is four out of five absolutely may not have $200,000 to pay. You wanna have, and so insurance doesn't replace the cyber security control. I think they're so complimentary to each other, right? So what we have done, we actually have an MS P persona in our platform. You know, MSPs as a software distributor services provider, you know, we cannot sell cyber insurance policies. We're not a broker, right?
So there has to be broker involved unless an insurers going directly to the SMBs. So what we do is we actually have a persona for MSPs and MSPs that basically, uh, no cost service to help the SMBs because either you are a policy holder that has an IT staff or you are relying on your MSP partner to manage, run, and operate and secure your IT operations. So we basically build a persona that can help your, uh, business to understand what your cyber posture look like.
So we are simply as a insurance provider, it's not just about policy anymore. You simply offering all other types of tools at no cost just to make sure that not only the cyber posture gets better, but you have, uh, efficiency into your claims process so that incident doesn't become claims and you can mitigate the incidents. And so it's good for the broker involved, the MSP that's helping the policy holder, the policy holder, and folks like ourselves.
So I just wanted to jump in on that conversation that there's a lot of innovation that needs to, uh, take place in this market. Uh, but the new players like ourselves, uh, are really, uh, hoping to innovate in, in the same premise that what we are discussing here. Okay, Wes? Yeah, go Ahead, Andrew, if I may, and I'll turn right back to you. You know, I think it's really important, Gary, I'd love you to just give your, your, your spin on this. 'cause again, like it's so ubiquitous.
So if you look at the poll you got, it's varying 12%, 14%, 10% goes up and down, know whether their clients have cyber or not. They're the guys like Dustin. But if you think about it, that's our industry. That 10%. So there's a huge bridge back. There's a huge opportunity here.
If you've been involved in the cyber call and, and, and can start to look at these things like the top five ransomware attacks, uh, top five attacks in CIS and build your stack around, there's a reason for all these resources we're bringing Gary just synopsis on that. Do, does that make sense? Yeah. I did a message for our True Methods members this week that basically was titled The Gap is widening and this is why.
So what I'm seeing, 'cause I get to see the numbers right, of, uh, couple hundred MSPs every quarter. The people that are getting what you're talking about, right, that are on top of this, you know, their average MRR, their average seat price, new MRR, uh, new from existing, everything is going up. So the gap between top providers and bottom 50%, uh, is, is widening.
I mean, there's always a gap in every industry, but, but I see it widening and this is the reason why Andrew, we're getting to the core of it. 'cause when you get where, you know, Dustin has gotten to, you know, we were talking in the green room and you know, he's able to pick and choose his clients right now, right? And so that's, that's where we are.
And there's somebody, there's multiple MSPs that are within an eight mile radius of you, Dustin, that are saying that they can't get their customers to pay more and they can't get new business. Austin prices seem to be going down. Like I'm seeing people going back to $125 per seat. It's kind of weird, scary. So, um, I was gonna say earlier too, to Jack's point, right? Uh, it is a frustration of that, you know, the kind of the MSP needs a partner to go to, right?
'cause that's the other part of it. Like I understand it, but I'm not an agency. I can't do it. So that was the big appeal. I looked for a couple years and had, uh, it was actually Jeremy Young at Hunters was one who introduced me to Fifth Ball. Um, 'cause he said, Hey, you've complained me enough about this. Like I found somebody. And so that's been an awesome is the co-sell, right?
Because whenever it's there again insurance like, hey, I got my bad guy that I get to bring in the insurance company, the insurance agent. Um, that's just been awesome, uh, because again, it makes you as an MSP look good. Now, it's not you saying you gotta have on MFA, you have to do this is I got this great insurance partner that understands the technical parts of it, you know, the cyber. And it's like, no, this is necessary. This gets you a good policy.
And you know what Dustin's MSP, they were telling you all the right stuff. And so suddenly the customer, the CFO's looking at me like, okay, you know, good job guys. Um, it makes it easy That that's what MSPs need. A hundred percent. That's what they need. And I love hearing that from you, Dustin. Gary, I'm gonna flip to you because I wanna make sure you have time to jump in. Yeah. And you know, there, and the insurance companies are frustrated too.
I mean, I know several MSPs that through working with their customers, made a relationship, um, with these carriers who now are bringing them in to multiple deals. 'cause they're frustrated dealing with MSPs, uh, at SMBs who d really don't understand. Like they're frustrated with it and they feel they're stuck and they wanna renew their customers, but they can't get all the answers that they want. Gary, one thing Wes Mm-Hmm. The question you had, can we just ask it that last one about MDR?
Yeah. 'cause Kelvin, Kelvin asked a question around Huntress. I mean, I'm curious if Jack's seeing other MDR players that are doing a good thing. But if you could, so there's a, if you could ask the question and then I'll put the context of the question Yeah. Asked in, in Chat. I, yeah, I can totally do that. So Jack, what do you, so like you look at Black Point Cyber, if you've seen them, they're getting heavily involved in the cyber insurance discussions.
You look at like Kelvin's question of like, Hey, how does Tres fit into this? Because it exists everywhere. And you know, they're asking, is it EDR? It's not on the checklist. What's the interplay with all these MDRs sox, Sims, all those kind of companies coming on board with, with cyber insurance? Is there, is there some kind of interplay between the MSP and those, those security vendors and then the clients?
Yeah, they, there is, I mean, first and foremost, you know, one of the, and I think some of you discussed this before, a uh, joining an MSP with a broker is a big deal. And we do that all the time now, is when your own MSP, you know, you can sell cyber policies, you insurance broker, they can't figure out what the right cyber risk look like for a business. That teaming is really big deal. Uh, in fact, we, every time we own MSP in question, we'll put them with a broker.
Now, some MSPs, like Black Point Cyber for example, they have taken it to, in their own hands, they created their own agency. Right? And what we've done to add value into that, um, triangle if you will, is we build a connector for Black Point Cyber MDR. So if you happen to be a, a customer, a business that is monitored using Black Point MDR, and it could be any other MDR by the way, and by the way, that model is amazing. We think we can replicate it far, uh, more times.
And not only it allows us to measure, uh, uh, the risk, which allows us to measure the risk more proactively. And when there is an incident, you already have the MDR and the SOC players right there, right? When you make a phone call, right? The best thing we do when we get a phone call on Friday night is we connect with the Bridge Council what to do, what not to do. But then we find a forensics form, right?
And, but if you have your MSP that's helping you right there, uh, I think that's the big value proposition and it allows you to, even if you have high frequency, uh, event, you can reduce the severity. Uh, so my response to your MDR question is I think that model, uh, can develop, uh, unlimited, uh, options on that model. Uh, but the, the beauty here is an insurance broker, like all of our deals, like we are a hundred percent channel uh, product. That means we don't sell direct.
We always go via broker. They're licensed brokers by the estate, property and casualty brokers and teaming up a brokerage firm with an MSP partner. And I think we've done this at least two dozen times so far. Uh, and it works really well. It also helped us be able to, uh, provide coverage to that MSP in addition to their end users. Uh, really Cool. Yeah. Thanks for that. Ja.
Thanks wa I appreciate 'cause I, I, I think that in general that, that, you know, was really cool that Calvin asked that kind of question. And I think there's gonna be more of those types of questions. Alright, Gary, please. So Dustin, um, Jack just mentioned first thing they do, right when there's an incident, the insurance company's gonna call in Breach Coach. Uh, do you have a breach coach relationship today? We do not. Um, we're going straight to the clients. We have the, uh, policies.
It's one of the first things that we do. Um, I didn't learn this, uh, the hard way firsthand, but I talked to several people that did when the last big hurricane blew through Houston. Great. I got this incident response manual, it's printed out in my office and, you know, our network that's down, I can't get to it. So one of the things we do is get a copy of our client's policies so we can get that incident response line, um, pretty quickly.
So we're, we're picking up the phone calling their policy, um, and Then the breach coach comes through that policy, right? Correct. Yeah. But Gary, are you asking Dustin if he had an incident that you have a breach coach? Do you have a breach coach? We, we don't. Yeah. So I thought you were gonna, I thought for sure you'd say yes.
You know, I was talking to someone who, um, went, went through a breach and what they had said was, there's someone in our peer groups, um, that they had a breach coach, mainly because what we, I'd been taking from the cyber call back to people. And that what a difference it made. He talked to his insurance company, they gave him some, they approved, he interviewed them.
Um, so not only did it completely change how his, um, incident went, but also from that perspective, he learned a lot about, you know, cyber insurance because they get brought into things, you know, uh, after it. So that's the reason why I asked the question. Um, can you give some insights on your packaging and pricing? You mentioned chocolate cake, so you're trying to bundle things and has it changed since last summer with all the additional controls in your stack? Yeah.
Um, I just wanna say it's awesome that Gary Peak is asking me about sales. Um, yeah, so we're doing, uh, one single plan. Um, that's it. So, uh, everything included, uh, we're doing firewalls. Uh, you know, we offsite backups, even backups on 365. Um, as far as what it's included, uh, is we are rolling in, uh, EDR right now. Um, that's something that we didn't have as, uh, included before. That's gonna be baseline across the board. Uh, we're even doing it across existing customers.
So, uh, we're doing our annual price raises and putting that in place as we do it. Uh, the next thing we'll probably add is gonna be, uh, full sim with one year retention. Uh, 'cause that is something from the insurance side they're starting to look at. And it's also just super useful to have, right? Being able to go back and look. Um, I'll say what we have right now is kind of half baked. So, um, yeah, we're slowly, uh, just as we get stuff done is continuous improvement, right?
So kind as we get one project done, we're looking for the next product that we wanna roll in and then doing that and just the onwards and upwards. And then I think you mentioned pricing as we're starting at our low end's gonna be about $200 a seat going up to, uh, yeah, I think we have one that's like at three 50. Um, yeah, You almost, you almost have to live there right now. Yeah.
Like I tell people, you're either living in that area or you're, you client and yourself aren't insecure, um, as they probably need to be, right? Yeah. One we're about the, oops, Sorry. I was gonna say just, I just love the way, you know, when you get pulled in to former customers, Hey Gary, we're getting a call from an MSP, you know, and they want to charge us this. And you're like, you're not gonna be secure. Like just literally hearing the numbers is Yeah. Yeah.
When my friends call me advice, when their MSPs wanna raise their price, I'm like, well, do you want to be secure or not? You know? 'cause they can't, I can't tell you at that price. They'll secure you. But I can tell you at the lower price, they can't 'cause So I one recently, But I know a lot about seat costs. Yeah. Well I was gonna say, I had one recently I was talking to where they're like, oh, well we're only paying like 1 25 right now.
I said, all right, well what do they have on security? Like, they pulled out their invoice and they're like, we got antivirus. I said, yeah, 'cause they can't afford, they haven't even talked to you about anything else. They're like, oh, I guess we could ask them. Like, you know, they said, don't worry about it, we got it. I was like, well that's you, you don't got it whenever that's all you have in there. Yeah. They should at least be talking to you about other stuff.
So that I've gotten pretty comfortable now, you know, the ones that don't get it walk away from, but I've gotten pretty comfortable with that conversation at this point. Um, and again, going back to our topic, you know, lead with cyber insurance, they're saying, you need all this stuff, let's talk about it. Um, yeah, that's really good. Do you find that now you've reached, because you're selling a bunch, do you find that, um, your pricing is starting to become a competitive advantage?
Like I always talk about weaponizing your competitors on price. Yeah. Have you gotten to that point where it just makes a real conceptual, you know, discussion where you can weed people out and have a high close rate with the ones who get it? Yes. Yeah. So, um, if you exclude, um, it's been probably like six months since I ran the numbers, but basically like screening 'em out on the first intro call, right? Where it's like, oh, you know, we're not interested.
I really don't want MFA, I'm pushing a little bit. And it's like, you know what? We're not a great fit. Here's the, you know, guy down the street. But, uh, at that point, once they got past the first call, it was like, we're closing 80% or something like that. And a lot of times we owned up being the only one that they seriously looked at, uh, as well. So I don't know if that counts on the sales numbers, but, uh, we're getting the ones that we want. Let's put it that way.
I'm sorry, man, you're making me get a little choked up. You taught me everything. I know, man. Took me 10 years to get here. So I have one more question for you. Um, I believe Fifth Wall has a vision about working through MSPs, right? Yeah. Yeah. So can you Talk through like what that strategy is? Yeah, so I mentioned earlier that was one of the things I got connected is I got frustrated on the cyber insurance side of just, you know, the agents not realizing making my life harder, so to speak.
Um, and so, uh, Reed is the, uh, president over at Fifth Ball that I work real close with. And so it is like, think of it as co-selling almost, right? Is fifth ball's bringing in, uh, an agent with you. Okay, great, we can go to these 35 different insurance markets and stuff. But they also get MSPs to where it's like, okay, you're not, you. They'll never send the app, right? Just to the client. It's like, Hey Dustin, we need to do this.
Can you get on the phone with us and the client help fill out? We're gonna talk to you about what's going on. Um, so both from an educational and support standpoint, right? You're not on an island. You're not wondering what is this agent doing? Do they know? But then the other part is, you know, Hey Wilson, I need you to jump on with me. This client's coming up for renewal. They're frustrated about this, you know, and we've been trying to get 'em to do SIM or whatever.
And so it's an awesome, again, you know, insurance is the bad guy, no offense, Jack. Um, but you know, from the, uh, MSP standpoint, suddenly you look like the hero because I've been telling you to do all this stuff and the client's sitting there, you know what, Dustin, you're right. Like my policy was about to double. Let's get all this stuff in place.
And then, you know, they're getting, insurance is happy, they're getting a good rate, and, you know, you actually feel confident navigating the cyber insurance piece. So the education has just been the biggest thing. Like, I understand, you know, the stuff, I'm not near on Jack's level, right? I'm still kind of getting started as far as knowledge goes, but it doesn't scare me when those apps come in. That's a, that's a competitive advantage.
Like you said earlier, Gary, now cyber insurance, I want those apps coming in. That's the clients, their MSPs are going, I have no idea. And I'm sitting here, you know, I bring in my fifth wall guy, we have that conversation and I'm closing these deals. Um, it's been, I said that earlier, right? Is I've been, you know, personally as an MSP, it's been good for me, uh, the last two years of just all the craziness and cyber insurance. That's awesome.
So Jack, um, you have hundreds, uh, of MSPs listening right now and probably thousands that are gonna listen to this, uh, recording. So from your perspective and what you see, what advice would you give an MSP in terms of their own security program as well as their clients? Yep. By the way, I see 4,500 people. So this is a amazing kudos to you for, uh, building such an amazing audience. Uh, here.
You know, I think first and foremost, um, of course the whole ecosystem would want the MSPs to look great for their customers, especially when there's an incident. And, you know, I would say that number one thing is to limit the liability on you as an MSP. Um, my encouragement would be to make sure all of your customers have cyber insurance policies. Right now, they're not MSPs, right? There's a lot of markets, right?
Uh, it's, there are traditional carriers, some of our cohorts, uh, that's number one. Number two, there are some really basic things that we ask for end customers. Uh, and you know, we, we took an approach of, uh, Dustin, like we don't have an app, uh, tool, uh, per se because we don't really look at the subjective questionnaires and answer. It changes. And it's hard for our, um, MSP and InfoSec, uh, friends to actually fill that out.
Uh, but having an incident response plan, like I think going back to Gary's question, what you do right outside of calling your MSP, right? Do you get a brief console? Do you, what's your next immediate step when there is an incident, right? 70% of the ransom demand, we don't end up, uh, uh, negotiating. That means there is a good backup. It's offline, right? Incident response plan that outlines the step that's tested, a backup that is encrypted that is offline.
Uh, of course, and we talked about MFNI don't want to get into, you know, which MFN what type of thing. That's number one. In terms of end user as an MSP, I would definitely try to build a broker partnership because like Dustin said, it's a co-selling opportunity. Uh, and it is a very powerful relationship in that process. And not only they will help you, brokers are obligated, uh, to give, uh, good advice. It's, uh, insurance, uh, a business.
You know, this is a century old business and they have to find the right coverage for you, right? That means there are a lot of different products out there. There are admitted products that are non-admitted products. There are simple forms. There are broad form. What is the right coverage you're looking for if you're a restaurant owner or a dry cleaner, maybe a standard ISO eight coverages, $1,300 policy, million dollar policy, just good enough for you.
But if you're a heavy construction manufacturing shop, you might need to figure out CCPA, GDPR. If you use AWS or Google Unit Crypto, um, uh, there is lot that needs to happen. And that type of knowledge only a broker, uh, can help. Now we try to educate the market in terms of, you know, uh, content, resources, material. Uh, but you know, my advice Gary Succinctly is find a broker partner. Make sure end customers actually have cyber insurance policy.
And yes, you know, your own shop, uh, continuous risk assessment. I mean, MFPs are better, uh, than insurance companies in trying to assess the risk. So you should have the skin in the game, uh, in terms of how you assess your own risk. And there are markets to get a right coverage for you, right? If your, all of your customers have cyber insurance coverage is less likely you're gonna need a contingent BI coverage, for example.
And then that makes it much easier for you to have multiple options when you look for your own cyber insurance policy. So, uh, that's all I would say, uh, in terms of what you would wanna do. Uh, but stay vigilant on the coverages as they change at the time of renewal. Uh, don't be surprised if the rates are going up. Rates are not coming down anytime soon. Yeah. So Andrew, I'll, um, I'll send it back to you.
We're at the top of the hour, but, um, uh, couple things we picked up today, like these reoccurring thing, you know, just having an instant response plan, right? That's gonna lead you to ask different questions. And then Ryan's putting in, uh, into the chat there about IG one, which we've been talk again, just pounding on on a weekly basis. Like basis, some things you can do now that you can start with, right? That are gonna get you on the fairway. And that's where we all need to be.
Yeah, really well summed up Gary, Unlike Tiger, who was mainly in the rough, Really well, summed up Gary. And again, we can talk about patient zero or client zero. I mean, these are things if you looked at IG one and we're gonna, you know, we'll bring in Phyllis back and, you know, help everybody out from CIS. So, um, first off, Dustin, thank you for joining us. Yeah, really good to have you. Really good to have the voice of the MSP on. Great job.
Congrats on all you're doing there in, uh, in Austin. Thanks. Yeah, Jack, uh, really good to see you again. And really, thanks so much for bringing, you know, the industry perspective. Congrats on all your success at cowbell and, and pushing you a lot more, my friend. Thank you. We Need more cowbell. You need more cowbell. That's the prescription. I, I got fewer. Thank you. Thank you for having me on. I really appreciate, and, uh, uh, it's great to be on here with you.
Yeah, I put in chat earlier, but everybody, I would recommend going to Jack's home page. Um, there's a great dummies book and, and I downloaded it. It's fantastic, Jack. So just those resources to start to familiarize yourself. Um, but anyway, I'll, I'll close with this. That wishing everybody a fantastic week. Look forward to seeing everybody next week. We'll have John Strand on actually talking about the MSP security training. You, you're doing that on the holiday. Oh, I'm sorry.
Apologize, Gary, the following. Thank you for, I was gonna Say like if I, if I can get internet up my boat, I'll be fair enough. Sorry. The following Monday, the following Monday, John, I'll be on back with us. So, um, but yeah, you, you can join in, Gary, that'd be great to have you from the boat. Um, all right, take care everybody. Be safe. Thanks again, Jack. Thanks Dustin. Thanks.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois